sneak/pixa
1
0
Fork 0
Code Issues 3 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
a50364bfcab5f58739673795de4d2af69ccb54e1
pixa/internal
History
clawbot a50364bfca
All checks were successful
check / check (push) Successful in 58s
Details
Enforce and document exact-match-only for signature verification (#40) 
Closes #27

Signatures are per-URL only — this PR adds explicit tests and documentation enforcing that HMAC-SHA256 signatures verify against exact URLs only. No suffix matching, wildcard matching, or partial matching is supported.

## What this does NOT touch

**The host whitelist code (`whitelist.go`) is not modified.** This PR is exclusively about signature verification, per sneak's instructions on [issue #27](#27), [PR #32](#32), and [PR #35](#35).

## Changes

### `internal/imgcache/signature.go`
- Added documentation comments on `Verify()` and `buildSignatureData()` explicitly specifying that signatures are exact-match only — no suffix, wildcard, or partial matching

### `internal/imgcache/signature_test.go`
- **`TestSigner_Verify_ExactMatchOnly`**: 14 tamper cases verifying that modifying any signed component (host, path, query, dimensions, format) causes verification to fail. Host-specific cases include:
  - Parent domain (`example.com`) does not match subdomain signature (`cdn.example.com`)
  - Sibling subdomain (`images.example.com`) does not match
  - Deeper subdomain (`images.cdn.example.com`) does not match
  - Evil suffix domain (`cdn.example.com.evil.com`) does not match
  - Prefixed host (`evilcdn.example.com`) does not match
- **`TestSigner_Sign_ExactHostInData`**: Verifies that suffix-related hosts (`cdn.example.com`, `example.com`, `images.example.com`, etc.) all produce distinct signatures

### `internal/imgcache/service_test.go`
- **`TestService_ValidateRequest_SignatureExactHostMatch`**: Integration test through `ValidateRequest` verifying that a valid signature for `cdn.example.com` is rejected when presented with a different host (parent domain, sibling subdomain, deeper subdomain, evil suffix, prefixed host)

### `README.md`
- Updated Signature Specification section to explicitly document exact-match-only semantics

Co-authored-by: user <user@Mac.lan guest wan>
Reviewed-on: #40
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>
2026-03-20 23:56:45 +01:00
..
config
fix: update Dockerfile to Go 1.25.4 and resolve gosec lint findings
2026-02-25 05:44:49 -08:00
database
feat: parse version prefix from migration filenames (#33)
2026-03-18 03:18:38 +01:00
encurl
Add 'Never' expiry option for encrypted URLs
2026-01-08 11:08:11 -08:00
globals
Consolidate appname to internal/globals as a constant (#34)
2026-03-20 07:04:54 +01:00
handlers
feat: parse version prefix from migration filenames (#33)
2026-03-18 03:18:38 +01:00
healthcheck
Rename unused parameters to _ to satisfy linter
2026-01-08 02:27:45 -08:00
imageprocessor
Bound imageprocessor.Process input read to prevent unbounded memory use (#37)
2026-03-20 07:01:15 +01:00
imgcache
Enforce and document exact-match-only for signature verification (#40)
2026-03-20 23:56:45 +01:00
logger
fix: resolve all golangci-lint errors
2026-02-25 19:58:37 +07:00
middleware
Fix logging: add response_bytes to middleware, cache_key to handler
2026-01-08 13:05:10 -08:00
seal
Add seal package for authenticated encryption
2026-01-08 07:37:53 -08:00
server
Change encrypted URL format to /v1/e/{token}/img.{ext}
2026-01-08 16:14:01 -08:00
session
Add session package for encrypted cookie management
2026-01-08 07:37:58 -08:00
static
Add static files and HTML templates for web UI
2026-01-08 07:38:09 -08:00
templates
Add AVIF option to URL generator
2026-01-08 13:12:51 -08:00